[Openstack-security] [Bug 1396849] Re: internalURL and adminURL of endpoints should not be visible to ordinary user
Morgan Fainberg
morgan.fainberg at gmail.com
Mon Dec 1 20:03:05 UTC 2014
Based on the ML topic, and that admin/internal URL is not universal (nor
clearly isolated) this is not something that we can likely fix without
breaking the API contract. We could look at changing the format of the
catalog, but I think this is a much, much, bigger topic. Many actions
need access to the different interfaces to succeed.
Second, if someone does not have the endpoint in the catalog it doesn't
prevent them from accessing/using the endpoint if they know if apriori.
This is not something that I expect we will change. This should be
handled in policy enforcement (currently policy.son)
Longer term we are looking at providing endpoint binding - in theory we
could expand this to cover the differing interfaces *where* possible.
Feel free to comment at https://review.openstack.org/#/c/123726/ on the
token constraint specification which will include the ability to
restrict the user from accessing a specific endpoint if they are not
authorized to do-so.
** Changed in: keystone
Status: New => Won't Fix
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1396849
Title:
internalURL and adminURL of endpoints should not be visible to
ordinary user
Status in OpenStack Identity (Keystone):
Won't Fix
Bug description:
if an ordinary user sent a get-token request to KeyStone, internalURL
and adminURL of endpoints will also be returned. It'll expose the
internal high privilege access address to the ordinary user, and leads
to the risk for malicious user to attack or hijack the system.
the request to get token for ordinary user:
curl -d '{"auth":{"passwordCredentials":{"username": "huawei", "password": "2014"},"tenantName":"huawei"}}' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens
the response:
{"access": {"token": {"issued_at": "2014-11-27T02:30:59.218772", "expires": "2014-11-27T03:30:59Z", "id": "b8684d2b68ab49d5988da9197f38a878", "tenant": {"description": "normal Tenant", "enabled": true, "id": "7ed3351cd58349659f0bfae002f76a77", "name": "huawei"}, "audit_ids": ["Ejn3BtaBTWSNtlj7beE9bQ"]}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77", "region": "regionOne", "internalURL": "http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77", "id": "170a3ae617a1462c81bffcbc658b7746", "publicURL": "http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://10.67.148.27:9696", "region": "regionOne", "internalURL": "http://10.67.148.27:9696", "id": "7c0f28aa4710438bbd84fd25dbe4daa6", "publicURL": "http://10.67.148.27:9696"}], "endpoints_links": [], "type": "network", "name": "neutron"}, {"endpoints": [{"adminURL": "http://10.67.148.27:9292", "region": "regionOne", "internalURL": "http://10.67.148.27:9292", "id": "576f41fc8ef14b4f90e516bb45897491", "publicURL": "http://10.67.148.27:9292"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://10.67.148.27:8777", "region": "regionOne", "internalURL": "http://10.67.148.27:8777", "id": "77d464e146f242aca3c50e10b6cfdaa0", "publicURL": "http://10.67.148.27:8777"}], "endpoints_links": [], "type": "metering", "name": "ceilometer"}, {"endpoints": [{"adminURL": "http://10.67.148.27:6385", "region": "regionOne", "internalURL": "http://10.67.148.27:6385", "id": "1b8177826e0c426fa73e5519c8386589", "publicURL": "http://10.67.148.27:6385"}], "endpoints_links": [], "type": "baremetal", "name": "ironic"}, {"endpoints": [{"adminURL": "http://10.67.148.27:35357/v2.0", "region": "regionOne", "internalURL": "http://10.67.148.27:5000/v2.0", "id": "435ae249fd2a427089cb4bf2e6c0b8e9", "publicURL": "http://10.67.148.27:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "huawei", "roles_links": [], "id": "a88a40a635334e5da2ac3523d9780ed3", "roles": [{"name": "_member_"}], "name": "huawei"}, "metadata": {"is_admin": 0, "roles": ["73b0a1ac6b0c48cb90205c53f2b9e48d"]}}}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1396849/+subscriptions
More information about the Openstack-security
mailing list